Security
Headlines
HeadlinesLatestCVEs

Tag

#git

GHSA-2q4w-x8h2-2fvh: Flowise Authentication Bypass vulnerability

An Authentication Bypass vulnerability exists in Flowise version 1.8.2. This could allow a remote, unauthenticated attacker to access API endpoints as an administrator and allow them to access restricted functionality.

ghsa
Open in Source
#vulnerability#git#auth
miniProxy 1.0.0 Remote File Inclusion

miniProxy version 1.0.0 suffers from a remote file inclusion vulnerability.

Chinese Volt Typhoon Exploits Versa Director Flaw, Targets U.S. and Global IT Sectors

The China-nexus cyber espionage group tracked as Volt Typhoon has been attributed with moderate confidence to the zero-day exploitation of a recently disclosed high-severity security flaw impacting Versa Director. The attacks targeted four U.S. victims and one non-U.S. victim in the Internet service provider (ISP), managed service provider (MSP) and information technology (IT) sectors as early

SMS scammers use toll fees as a lure

Scammers are increasingly using toll fees as a lure in smishing attacks with the aim of grabbing victims' personal details and credit card information.

TDECU data breach affects half a million people

The Texas Dow Employees Credit Union (TDECU) has disclosed a data breach of 500,474 people, related to the MOVEit vulnerability.

PSA: These ‘Microsoft Support’ ploys may just fool you

We came a cross a clever abuse of Google and Microsoft's services that fooled us for a minute. See if you could have spotted it.

GHSA-22xm-w7r2-834q: FastAPI Admin cross-site scripting (XSS) vulnerability in the Create Product function

A cross-site scripting (XSS) vulnerability in the Create Product function of fastapi-admin pro v0.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Product Name parameter.

GHSA-grqx-r2q2-j425: FastAPI Admin Cross-site Scripting vulnerability in the Config-Create function

A cross-site scripting (XSS) vulnerability in the Config-Create function of fastapi-admin pro v0.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Product Name parameter.

GHSA-6jrj-vc65-c983: unzip-stream allows Arbitrary File Write via artifact extraction

### Impact When using the `Extract()` method of unzip-stream, malicious zip files were able to write to paths they shouldn't be allowed to. ### Patches Fixed in 0.3.2 ### References - https://snyk.io/research/zip-slip-vulnerability - https://github.com/mhr3/unzip-stream/compare/v0.3.1...v0.3.2 ### Credits Justin Taft from Google

Invesalius 3.1 Remote Code Execution

Invesalius versions 3.1.99991 through 3.1.99998 suffer from a remote code execution vulnerability. The exploitation steps of this vulnerability involve the use of a specifically crafted DICOM file which, once imported inside the victim's client application, allows an attacker to gain remote code execution.